SPLK-3001 Leak Questions

The Status Configuration window in Splunk Enterprise Security allows you to manage and customize the investigation statuses and the status transitions for notable events. You can specify which roles can change the status of a notable event from one status to another. For example, you can restrict the ess_user role from changing the status of Resolved notable events to Closed by removing the ess_user role from the status transitions for the Closed status. This way, only the roles that have the permission to change the status to Closed can close the Resolved notable events. References =

• Manage and customize investigation statuses in Splunk Enterprise Security

Detailed information about identities, such as user names, email addresses, phone numbers, and roles, is stored in the Identity Lookup CSV file in Splunk Enterprise Security. The Identity Lookup CSV file is a lookup file that contains the identity data that is collected and extracted from various data sources, such as Active Directory, LDAP, or custom identity lists. The Identity Lookup CSV file is used to enrich events with identity information and generate notable events based on identity correlation searches. You can view and manage the Identity Lookup CSV file using the Asset and Identity Management page in Splunk Enterprise Security. References =

• Manage assets and identities in Splunk Enterprise Security
• Identity Lookup CSV file

 A prefix of Splunk_TA_ would allow an add-on to be automatically imported into Splunk Enterprise Security. Splunk Enterprise Security uses a naming convention to identify and import add-ons that are compatible with the Common Information Model (CIM). Add-ons that start with Splunk_TA_ are automatically imported into Splunk Enterprise Security and mapped to the appropriate data models. Add-ons that do not follow this naming convention must be manually imported and configured in Splunk Enterprise Security1. A prefix of CIM_ or TECH_ does not indicate an add-on that can be automatically imported. A suffix of .spl is the file extension for Splunk apps and add-ons, but it does not guarantee that they are compatible with Splunk Enterprise Security. References =

• Import add-ons into Splunk Enterprise Security

A key feature of a glass table is customization. A glass table is a dashboard that allows you to create dynamic and interactive visualizations of your security data. You can customize a glass table by adding static images and text, the results of ad-hoc searches, and security metrics that show the values of KPIs, service health scores, or notable events. You can also configure the appearance, behavior, and drilldown options of the glass table elements. A glass table is not rigid, but flexible and adaptable to your security needs. A glass table is not designed for interactive investigations, but for high-level monitoring and analysis. A glass table does not store data for later retrieval, but shows real-time data generated by KPIs and services. References =

• Create and manage glass tables in Splunk Enterprise Security
• Add security metrics to a glass table in Splunk Enterprise Security